Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Anatomy of a Malware Attack: Emails with Password-Protected Files

Almost 94% of all malware attacks are delivered via email. These attacks may include ransomware, adware, spyware, and more. Lately we have observed a growing trend of distributing malware through password-protected email attachments. Let’s look at an example of what this kind of malware attack looks like so that you better safeguard your inbox. 

Related: Microsoft reports a “leap in attack sophistication”

Example of the malware attack

The employee receives an email that appears to be from a trusted and well-known sender, or a common brand, with a catchy subject (ex. ‘Invoice’, ‘Payment verification’, etc). The email contains an attached file that is zipped and password-protected by the attacker. The password creates the illusion the attachment must contain confidential personal information that had to be secured.

The password to open the file from the zip is included in the email:

Example of the malicious email

Field to enter the password to open the zipped email’s attachment

Once the password is entered and the file is opened, the user is infected by the malware. Usually, it is what is referred to as a trojan attack which is hidden within the email attachment.


phishing and fraud url intelligence

Learn more about “industry” trends, and how phishing kits work.

Watch the Webinar

Emotet trojan malware hidden in email attachments

The Emotet trojan malware is the most common type of malware attack we see when it comes to password-protected email attachments. It’s usually delivered through mail spam and phishing emails that contain infected Microsoft Word or PDF files. When opening the file, the victim is tricked into enabling the macros and triggering the malware logic.

As seen in the example below, the victim opened the encrypted, zipped attachment—a Microsoft Word file. That file fakes a Microsoft Office Activation Wizard that urges the recipient to ‘Enable Editing’ and ‘Enable Content’ to view and edit the file.

Example of the content of the Emotet infected Microsoft Word document

If the user follows the ‘Enable Editing’ and ‘Enable Content’ processes, they will enable the malicious macros ingrained in it. And the victim won’t even notice it. The file starts to silently run a PowerShell script:

Decoding the script reveals a downloader code:

As a result, Emotet will download and execute additional malware, which will be installed directly on the victim’s PC and bypass all possible detection.

Attacks using password-protected zip files (and taking advantage of our social engineering) are virtually invisible to most email filtering techniques.

Protect Against Malware Attacks with Cyren Inbox Security

Cyren Inbox Security was built to safeguard each and every Microsoft 365 mailbox in your organization. It is a continuous and automated layer of security right in the user mailbox:

● Persistently rescans inbound, outbound and delivered emails in all folders

● Reduces investigative overhead with automated incident and case management workflows

● A seamless mailbox plugin lets users scan and report suspicious emails

Our malware detection is unsurpassed. Cyren’s global security cloud processes 25 billion email and web security transactions every day; identifies 9 new threats and blocks over 3,000 known threats each second.

Ready to play with Cyren Inbox Security for Microsoft 365? Start a 30-day trial, no credit card needed >


phishing and fraud url intelligence

Discover a behind the scenes look at phishing kits.

Watch the Webinar

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...